NVIDIA · ddurst-nvidia · Jun 16, 2026 · Jun 10, 2026 · Jun 10, 2026 · Jun 10, 2026
@@ -44,6 +44,9 @@ jobs:
             cmd: "mise run --no-deps --skip-deps e2e:podman:rootless"
             apt_packages: "openssh-client podman uidmap"
             rootless: true
+          - suite: mcp
+            cmd: "mise run --no-deps --skip-deps e2e:mcp"
+            apt_packages: ""
     container:
       image: ghcr.io/nvidia/openshell/ci:latest
       credentials:
@@ -66,6 +69,23 @@ jobs:
         with:
           ref: ${{ inputs['checkout-ref'] || github.sha }}
 
+      - name: Check out MCP conformance tests
+        if: matrix.suite == 'mcp'
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          repository: modelcontextprotocol/conformance
+          # Pin after v0.1.16 to include the tools_call client scenario fix.
+          ref: b9041ea41b0188581803459dbae71bc7e02fd995
+          path: .cache/mcp-conformance
+
+      - name: Set up Node.js
+        if: matrix.suite == 'mcp'
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+        with:
+          node-version: "22"
+          cache: npm
+          cache-dependency-path: .cache/mcp-conformance/package-lock.json
+
       - name: Install OS test dependencies
         if: matrix.apt_packages != ''
         env:
@@ -104,6 +124,7 @@ jobs:
       - name: Run tests
         env:
           OPENSHELL_SUPERVISOR_IMAGE: ${{ format('ghcr.io/nvidia/openshell/supervisor:{0}', inputs.image-tag) }}
+          OPENSHELL_MCP_CONFORMANCE_CLIENT_IMAGE: ${{ format('openshell-mcp-conformance-client:{0}', inputs.image-tag) }}
           E2E_CMD: ${{ matrix.cmd }}
         run: |
           if [ "${{ matrix.rootless }}" = "true" ]; then

@@ -8,7 +8,7 @@ members = ["crates/*"]
 [workspace.package]
 version = "0.0.0"
 edition = "2024"
-rust-version = "1.88"
+rust-version = "1.90"
 license = "Apache-2.0"
 repository = "https://github.com/NVIDIA/OpenShell"
 
@@ -73,6 +73,7 @@ serde_json = "1"
 serde_yml = "0.0.12"
 toml = "0.8"
 apollo-parser = "0.8.5"
+tower-mcp-types = "0.12.0"
 
 # HTTP client
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls-native-roots"] }

@@ -49,6 +49,15 @@ paths, such as proxy support files or GPU device paths when a GPU is present.
 All ordinary agent egress is routed through the sandbox proxy. The proxy
 identifies the calling binary, checks trust-on-first-use binary identity, rejects
 unsafe internal destinations, and evaluates the active policy.
+For inspected HTTP traffic, the proxy can enforce REST method/path rules,
+WebSocket upgrade and text-message rules, GraphQL operation rules, and
+MCP or generic JSON-RPC method and params rules on sandbox-to-server request
+bodies. MCP and JSON-RPC inspection buffers up to the endpoint
+`mcp.max_body_bytes` or `json_rpc.max_body_bytes` limit. Literal dotted keys in
+JSON-RPC params are rejected before policy evaluation so they cannot be confused
+with flattened nested selector paths. JSON-RPC responses and server-to-client
+MCP messages on response or SSE streams are relayed but are not currently
+parsed for policy enforcement.
 
 `https://inference.local` is special. It bypasses OPA network policy and is
 handled by the inference interception path:

@@ -205,6 +205,8 @@ fn group_allow_rules(specs: &[String]) -> Result<BTreeMap<(String, u32), Vec<L7R
                     operation_type: String::new(),
                     operation_name: String::new(),
                     fields: Vec::new(),
+                    rpc_method: String::new(),
+                    params: HashMap::default(),
                 }),
             });
     }
@@ -226,6 +228,8 @@ fn group_deny_rules(specs: &[String]) -> Result<BTreeMap<(String, u32), Vec<L7De
                 operation_type: String::new(),
                 operation_name: String::new(),
                 fields: Vec::new(),
+                rpc_method: String::new(),
+                params: HashMap::default(),
             });
     }
     Ok(grouped)